Deciding who is responsible for cybersecurity incidents

Shifting Liability

Who's responsible for cybersecurity incidents? While the answer was never clear, it's become even murkier over the last couple of years, marked by lots of finger-pointing and consequences aimed at boards, IT, users, senior management, business partners and the supply chain.

John Sapp, CISO at medical device company Orthofix, says the firing of top-level executives at Target and Sony after those organizations experienced serious breaches has turned more than a few heads. Once upon a time, IT – more specifically the security department – was responsible for preventing and, if their efforts were not successful, shouldering responsibility for cybersecurity incidents.

But now, the tide has turned – or, maybe, more accurately, swelled – to catch all departments, employees, boards, business partners, suppliers and the like in its wake. Companies are placing a premium on security, finally making department heads and everyone in the organization responsible for the company's overall security posture and ongoing training.

Sapp, who came on board as CISO about a year ago, says he now issues monthly written reports on the company's security status to top management and meets quarterly on security issues with a company steering committee that includes the CEO, CFO, the chief compliance and privacy officers and the legal team.

“Security has been identified as the number one risk in our organization,” Sapp says. “When I started a year ago, there were no formal IT security programs in place.”

Now, the security pro has implemented a full self-assessment risk approach that looks carefully at what data the company has, how it is classified and the controls that need to be in place.

“By doing this we have demonstrated a certain level of seriousness,” Sapp explains. “We've actually lowered our premiums for cyberinsurance because of our self-assessment approach.”

Climate change

Sapp says because of the increased emphasis on security at the company, various department heads at Orthofix have been more willing to approach him about building security into a product from the start.

For example, he says the company's clinical research affairs staff came to him a few weeks ago before they ran clinical trials on telemedicine devices, asking what the security risks are and how they can reduce their risk.

“I've been in health care IT for 11 years and that is something that simply would not have happened in the past,” Sapp says.

Gary Hayslip, CISO for the city of San Diego, adds that in discussions with his CISO peers around the region, he's found that at least 60 percent no longer report solely to the CIO.

“People are now reporting to the CEO, CFO or the chief risk officer,” Hayslip says. “CISOs are now the peers of the CIO and the cybersecurity department's team is being separated. Many CISOs are being asked to participate on boards.”

Hayslip also holds quarterly meetings with department heads and the city's administration, briefing them on security issues. “The more they understand, the more you can cut down on shadow IT,” he says. “I've been trying to get them to realize that breaches will happen. But if we have the right IT and policies in place, we can more effectively absorb a breach.”

Hayslip says the city has begun to experiment with Microsoft Azure for testing and development and runs many of its production applications in-house in an extensive private cloud environment. There are also many new applications that are being brought online and secured in Amazon Web Services. Hayslip says that has proven to be an attractive alternative.

Hayslip also finds that he can work closely with cloud providers to find the most secure solution. In one case, before the city signed on with Salesforce.com, the vendor offered its generic product that requires opening up several thousand IP addresses on its firewalls for vendor maintenance.

“I said there was no way we could approve that,” says the San Diego CISO. “The level of risk is just too high.”

The solution was for the city to deploy the Salesforce Gov Cloud, a version of Salesforce designed for governments federal, state and local agencies that only requires they open up significantly fewer IP addresses.

“CISOs need to understand the risks and ask for alternatives,” he says. “Now we have a government version that's more secure. There was a bit of a cost differential, but it was worth it.”

Cyberinsurance feeling the heat

Chris Keegan, a senior managing director at insurance company Beecher Carlson says that while policies vary, most insurance companies will only insure a company for the legal costs surrounding the breach, plus the costs of notifying customers.

And as far as negotiating with cloud providers to transfer the risk back to the provider, CISOs should not expect that AWS, Microsoft or Azure will be willing negotiation partners.

“Think about it,” he says. “If the insurance company insures a breach at AWS it will have to cover not just one loss, but thousands of losses. I just can't happen, the cloud providers would be out of business.”

San Diego's Hayslip adds that providers such as AWS have very strict guidelines of what needs to happen. For example, in the event of a breach, they have to be notified and a third-party response team has to be notified.

“Everything is spelled out in terms of what they will cover and what needs to be done,” Hayslip explains. “Just don't expect to dictate to them, it's better if you try to work with them as a partner.”

John Mullen, an attorney who recently formed Mullen Coughlin to help companies with cyberinsurance issues, says there's no way the large cloud providers such as AWS, Microsoft and Google will take on any added risk.

“While they won't let you push back the risk to them, from a security perspective, going with a cloud provider can be a good idea because the large cloud providers are very good at segmenting each customer's security and usually have more resources than most companies for security,” Mullen says.

Mullen adds that one of the real problems with the transfer of responsibility concept is that it's all too new.

“For there to be case law on transfer of responsibility, we have to have a company that tests the concept with a cloud provider, a decision needs to be rendered and then it has to go through the appeals process before it's finally case law,” Mullen explains. “That takes time.”

Meanwhile, Mullen says flawed and confusing though it might be, companies need to purchase cyberinsurance. They also need to do more of what Orthofix and the city of San Diego are doing with their staffs: getting everyone in the organization involved.

Mullen says that while a lot has been written about the fraud liability shift where the credit card issuers have passed liability back to the retailers, the bigger shift to come is where companies build security into the entire organization.

“Security can no longer be just an IT problem,” says Mullen.

The security industry seeks to make thinking about security an across-the-board function. On a construction site, everyone today expects the workers to wear helmets and safety goggles. All offices have procedures for fires and emergencies such as bomb threats. The same needs to hold true for cybersecurity. Sure, security staffs need to do their due diligence and deploy defense-in-depth security with firewalls, anti-malware software, security logs and an IPS. And insurance companies take that into consideration when they are reviewing a claim. But they will also be looking at how security permeates the organization.

How informed is top management? What role do the department heads play? And are the rank-and-file staffers trained properly in how to recognize phishing and ransomware attacks? Are employees using two-factor authentication and/or trained in how to make more secure passwords?

If your company has not gone down this road, then it's unrealistic to expect any transfer of responsibility. The onus is on you to change and protect your organization.